1 |
Am 2015-07-19 um 00:45 schrieb walt: |
2 |
> On Sat, 18 Jul 2015 12:21:39 +0200 |
3 |
> "Stefan G. Weichinger" <lists@×××××.at> wrote: |
4 |
> |
5 |
>> |
6 |
>> Does anyone (aside from Diego, as I know from his blog) use Yubico |
7 |
>> Yubikeys with Gentoo? |
8 |
>> |
9 |
>> I am especially interested in getting it to work within Gnome, to |
10 |
>> authenticate ssh-sessions (using the smartcard feature of the Yubikey |
11 |
>> NEO). |
12 |
>> |
13 |
>> There are X howtos out there ... telling me to add udev-rules, disable |
14 |
>> gnome-keyring, run keychain ... etc etc |
15 |
>> |
16 |
> |
17 |
> What an amazing coincidence. I just listened to a podcast about an hour |
18 |
> ago where the process was explained in detail (even mentioning the NEO |
19 |
> model and smartcard in particular). Weird. |
20 |
> |
21 |
> I'm curious to know if this link actually gives you what you asked for: |
22 |
> |
23 |
> http://www.jupiterbroadcasting.com/85062/ssh-authentication-with-yubikey-las-373/ |
24 |
> |
25 |
> You can either watch (or listen to) the podcast, or scroll down the page |
26 |
> about one-third to see written instructions. (Instructions based on |
27 |
> ubuntu, not gentoo, but I'm sure you can translate :) |
28 |
|
29 |
Thanks. Ok, didn't yet know about that piv-tool, will build it later |
30 |
this day and try it. |
31 |
|
32 |
The instructions there seem to be simply taken from the yubico website: |
33 |
|
34 |
https://developers.yubico.com/yubico-piv-tool/SSH_with_PIV_and_PKCS11.html |
35 |
|
36 |
The howto doesn't use gpg-(sub)keys for ssh-auth, so far I followed |
37 |
howtos like this: |
38 |
|
39 |
https://stafwag.github.io/blog/blog/2015/06/16/using-yubikey-neo-as-gpg-smartcard-for-ssh-authentication/ |
40 |
|
41 |
As I have an existing gpg-keyring I am cautious not to break things. |
42 |
So I added subkeys with 2048 bits to make them fit on the SC-part of the |
43 |
Neo Yubikey (my main key is 4096 bits long). |
44 |
|
45 |
This guy |
46 |
|
47 |
http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ |
48 |
|
49 |
moves on to a new main key while doing all this ... maybe I should |
50 |
consider this as well. |
51 |
|
52 |
All the howtos out there have in common, that the process of handling |
53 |
all the needed parts feels kind of unintuitive and scary. And I always |
54 |
wonder if I haven't missed a thing and locked myself out forever ;-) |
55 |
|
56 |
I had ssh using the (gpg-)subkey from the card already on one machine. |
57 |
Somehow it stopped working again and I am not sure what I screwed up. |
58 |
|
59 |
All this lead me to using keychain ( |
60 |
https://wiki.gentoo.org/wiki/Keychain ) ... to control agents for gpg |
61 |
and ssh (and cache PINs/passphrases). So I have to disable parts of the |
62 |
gnome-keyring (maybe the whole?) to let keychain manage that. |
63 |
|
64 |
Many moving parts included. |
65 |
|
66 |
Stefan |